Apache Axis2/c SSL/TLS Hostname validation

2013.01.13

Credit: Seth Arnold

Risk: High

Local: No

Remote: Yes

CVE: CVE-2012-6107

CWE: CWE-310

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

In November, I asked if a CVE had been assigned to Axis2/C for failing
to check hostnames when validating SSL/TLS certificates:
http://www.openwall.com/lists/oss-security/2012/11/07/1
This was part of the fallout from this paper:
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
I was not confident enough in my reading of the source code to say that
Axis2/C was vulnerable, so I did not pursue the issue at the time.
Since then, I have re-read the code, emailed three developers privately,
emailed the axis-c-dev mail list, and filed a JIRA bug report. None of
these communications have received any kind of response.
https://issues.apache.org/jira/browse/AXIS2C-1619
http://mail-archives.apache.org/mod_mbox/axis-c-dev/201301.mbox/browser
Please assign a CVE for Axis2/C for failing to validate hostnames when
checking SSL certificates.

References:

http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

https://issues.apache.org/jira/browse/AXIS2C-1619

http://mail-archives.apache.org/mod_mbox/axis-c-dev/201301.mbox/browser

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Apache Axis2/c SSL/TLS Hostname validation

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.